Provider (Art. 16)
Fintech / scoring / KYC vendors: CE marking and Annex IV dossier mandatory for their banking customers.
AI Assurance — Banking
Triple convergence: EU AI Act, DORA and MiFID II
One assurance platform for the three frameworks at once. The evidence layer is common — redundancy across obligations is removed, not duplicated.
What we see in this sector
Internal model evidence for MiFID II rebuilt every audit cycle.
ICT traceability under DORA Art. 28 disconnected from the model lifecycle.
Automated credit scoring decisions under GDPR Art. 22 lacking operational explainability.
Typical use cases
- Credit and insurance scoring
- Transactional fraud detection
- Internal risk models (Pillar I and II)
- Robo-advisory and offer engine
Applicable regulatory frameworks
Primary frameworks
Reglamento (UE) 2024/1689 — Reglamento de Inteligencia Artificial
Reg. (UE) 2024/1689 · Official source →
EU AI Act. Applies whenever the system operates in the EU.
DORA — Resiliencia Operativa Digital
Reg. (UE) 2022/2554 · Official source →
ICT traceability, vendor management and tech risk governance in the financial sector.
MiFID II / Guía BCE EGIM — Modelos internos
Directiva 2014/65/UE · Official source →
Internal models in investment services and ECB guidance for supervised entities.
Cross-cutting frameworks
GDPR Art. 22 — Decisiones automatizadas
Reg. (UE) 2016/679 Art. 22 · Official source →
Automated individual decisions with legal effects on people.
ISO/IEC 42001:2023 — Sistema de Gestión de IA
ISO/IEC 42001:2023 · Official source →
Voluntary AI management framework, alignable with the EU AI Act.
ISO/IEC 27001 — Sistema de Gestión de Seguridad de la Información
ISO/IEC 27001:2022 · Official source →
ISMS framework; relevant if the organisation is already certified.
AI supply chain — your role determines your obligations
The EU AI Act distributes obligations by role (Arts. 16, 24, 26). In this sector each role contributes a different piece to assurance.
Integrator (Art. 24)
Model integrators and consultancies are responsible for package conformity under Art. 24 + DORA Art. 28.
Deployer (Art. 26)
The financial institution must operate the model with human oversight (Art. 14) and keep continuous traceability before the supervisor (ECB, ESMA, national supervisor).